ardamax | 8c870eec48bc4ea1aca1f0c63c8a82aaadaf837f197708a7f0321238da8b6b75

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2024 17:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe
Size

783KB
MD5

e33af9e602cbb7ac3634c2608150dd18
SHA1

8f6ec9bc137822bc1ddf439c35fedc3b847ce3fe
SHA256

8c870eec48bc4ea1aca1f0c63c8a82aaadaf837f197708a7f0321238da8b6b75
SHA512

2ae5003e64b525049535ebd5c42a9d1f6d76052cccaa623026758aabe5b1d1b5781ca91c727f3ecb9ac30b829b8ce56f11b177f220330c704915b19b37f8f418
SSDEEP

12288:0E9uQlDTt8c/wtocu3HhGSrIilDhlPnRq/iI7UOvqF8dtbcZl36VBqWPH:FuqD2cYWzBGZohlE/zUD8/bgl2qW/

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023c97-12.dat	family_ardamax

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe

Executes dropped EXE 1 IoCs

pid	Process
4392	DPBJ.exe

Loads dropped DLL 4 IoCs

pid	Process
4812	ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe
4392	DPBJ.exe
4392	DPBJ.exe
4392	DPBJ.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DPBJ Agent = "C:\\Windows\\SysWOW64\\28463\\DPBJ.exe"	DPBJ.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\28463\Nov_23_2024__17_47_43.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_23_2024__17_48_21.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\AKV.exe	ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe
File opened for modification	C:\Windows\SysWOW64\28463	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_23_2024__17_48_48.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_23_2024__17_48_56.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_23_2024__17_49_10.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_23_2024__17_47_49.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_23_2024__17_48_18.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_23_2024__17_48_26.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_23_2024__17_48_30.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_23_2024__17_48_53.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_23_2024__17_47_50.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_23_2024__17_47_56.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_23_2024__17_49_35.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_23_2024__17_48_24.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_23_2024__17_48_58.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_23_2024__17_49_24.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_23_2024__17_49_29.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_23_2024__17_48_04.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_23_2024__17_49_21.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_23_2024__17_48_23.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_23_2024__17_47_47.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_23_2024__17_49_14.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_23_2024__17_48_38.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_23_2024__17_48_41.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_23_2024__17_49_00.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_23_2024__17_49_33.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_23_2024__17_47_37.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_23_2024__17_47_59.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_23_2024__17_49_12.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_23_2024__17_49_36.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_23_2024__17_49_22.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_23_2024__17_49_23.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_23_2024__17_47_42.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_23_2024__17_48_20.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_23_2024__17_48_06.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_23_2024__17_48_11.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_23_2024__17_48_49.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_23_2024__17_47_39.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_23_2024__17_47_51.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_23_2024__17_48_55.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_23_2024__17_49_26.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_23_2024__17_49_32.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_23_2024__17_48_31.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_23_2024__17_48_45.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\DPBJ.009	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_23_2024__17_48_46.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_23_2024__17_48_37.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\DPBJ.002	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_23_2024__17_48_05.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_23_2024__17_47_41.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_23_2024__17_47_46.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_23_2024__17_48_59.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\DPBJ.007	ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe
File created	C:\Windows\SysWOW64\28463\Nov_23_2024__17_47_38.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_23_2024__17_48_35.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\DPBJ.009.tmp	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_23_2024__17_47_55.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_23_2024__17_49_01.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_23_2024__17_49_15.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_23_2024__17_48_42.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_23_2024__17_48_52.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_23_2024__17_48_29.jpg	DPBJ.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DPBJ.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133768576645747755"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 34 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B484CA24-54CF-4D82-369D-789FC83A296B}\InprocServer32\	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E5F9F15E-4C09-6E72-FABE-F34AB0B06EDA}\	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E5F9F15E-4C09-6E72-FABE-F34AB0B06EDA}\1.0\Flags\ = "0"	DPBJ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B484CA24-54CF-4D82-369D-789FC83A296B}\InprocServer32	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B484CA24-54CF-4D82-369D-789FC83A296B}\TypeLib\	DPBJ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B484CA24-54CF-4D82-369D-789FC83A296B}\Version	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B484CA24-54CF-4D82-369D-789FC83A296B}\InprocServer32\ = "C:\\Windows\\SysWOW64\\imapi2.dll"	DPBJ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E5F9F15E-4C09-6E72-FABE-F34AB0B06EDA}\1.0	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E5F9F15E-4C09-6E72-FABE-F34AB0B06EDA}\1.0\Flags\	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E5F9F15E-4C09-6E72-FABE-F34AB0B06EDA}\1.0\	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B484CA24-54CF-4D82-369D-789FC83A296B}\Version\ = "1.0"	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E5F9F15E-4C09-6E72-FABE-F34AB0B06EDA}\1.0\ = "Microsoft OneNote 12.0 Type Library"	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E5F9F15E-4C09-6E72-FABE-F34AB0B06EDA}\1.0\0\Win32\ = "C:\\Program Files\\Microsoft Office\\Root\\Office16\\ONENOTE.EXE\\2"	DPBJ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E5F9F15E-4C09-6E72-FABE-F34AB0B06EDA}\1.0\HelpDir	DPBJ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B484CA24-54CF-4D82-369D-789FC83A296B}\TypeLib	DPBJ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B484CA24-54CF-4D82-369D-789FC83A296B}\ProgID	DPBJ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B484CA24-54CF-4D82-369D-789FC83A296B}\Programmable	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B484CA24-54CF-4D82-369D-789FC83A296B}\Programmable\	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E5F9F15E-4C09-6E72-FABE-F34AB0B06EDA}\1.0\HelpDir\	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B484CA24-54CF-4D82-369D-789FC83A296B}\VersionIndependentProgID\	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B484CA24-54CF-4D82-369D-789FC83A296B}\VersionIndependentProgID\ = "IMAPI2.MsftWriteEngine2"	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B484CA24-54CF-4D82-369D-789FC83A296B}\TypeLib\ = "{E5F9F15E-4C09-6E72-FABE-F34AB0B06EDA}"	DPBJ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B484CA24-54CF-4D82-369D-789FC83A296B}	DPBJ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E5F9F15E-4C09-6E72-FABE-F34AB0B06EDA}	DPBJ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E5F9F15E-4C09-6E72-FABE-F34AB0B06EDA}\1.0\0\Win32	DPBJ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E5F9F15E-4C09-6E72-FABE-F34AB0B06EDA}\1.0\0	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E5F9F15E-4C09-6E72-FABE-F34AB0B06EDA}\1.0\0\	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E5F9F15E-4C09-6E72-FABE-F34AB0B06EDA}\1.0\0\Win32\	DPBJ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E5F9F15E-4C09-6E72-FABE-F34AB0B06EDA}\1.0\Flags	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B484CA24-54CF-4D82-369D-789FC83A296B}\Version\	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B484CA24-54CF-4D82-369D-789FC83A296B}\ = "Inacica.Afadfat"	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B484CA24-54CF-4D82-369D-789FC83A296B}\ProgID\	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B484CA24-54CF-4D82-369D-789FC83A296B}\ProgID\ = "IMAPI2.MsftWriteEngine2.1"	DPBJ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B484CA24-54CF-4D82-369D-789FC83A296B}\VersionIndependentProgID	DPBJ.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
5016	chrome.exe
5016	chrome.exe
4788	chrome.exe
4788	chrome.exe
4788	chrome.exe
4788	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4392	DPBJ.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: 33	4392	DPBJ.exe
Token: SeIncBasePriorityPrivilege	4392	DPBJ.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
4392	DPBJ.exe
4392	DPBJ.exe
4392	DPBJ.exe
4392	DPBJ.exe
4392	DPBJ.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4812 wrote to memory of 4392	4812	ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe	83
PID 4812 wrote to memory of 4392	4812	ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe	83
PID 4812 wrote to memory of 4392	4812	ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe	83
PID 5016 wrote to memory of 4468	5016	chrome.exe	96
PID 5016 wrote to memory of 4468	5016	chrome.exe	96
PID 5016 wrote to memory of 1456	5016	chrome.exe	97
PID 5016 wrote to memory of 1456	5016	chrome.exe	97
PID 5016 wrote to memory of 1456	5016	chrome.exe	97
PID 5016 wrote to memory of 1456	5016	chrome.exe	97
PID 5016 wrote to memory of 1456	5016	chrome.exe	97
PID 5016 wrote to memory of 1456	5016	chrome.exe	97
PID 5016 wrote to memory of 1456	5016	chrome.exe	97
PID 5016 wrote to memory of 1456	5016	chrome.exe	97
PID 5016 wrote to memory of 1456	5016	chrome.exe	97
PID 5016 wrote to memory of 1456	5016	chrome.exe	97
PID 5016 wrote to memory of 1456	5016	chrome.exe	97
PID 5016 wrote to memory of 1456	5016	chrome.exe	97
PID 5016 wrote to memory of 1456	5016	chrome.exe	97
PID 5016 wrote to memory of 1456	5016	chrome.exe	97
PID 5016 wrote to memory of 1456	5016	chrome.exe	97
PID 5016 wrote to memory of 1456	5016	chrome.exe	97
PID 5016 wrote to memory of 1456	5016	chrome.exe	97
PID 5016 wrote to memory of 1456	5016	chrome.exe	97
PID 5016 wrote to memory of 1456	5016	chrome.exe	97
PID 5016 wrote to memory of 1456	5016	chrome.exe	97
PID 5016 wrote to memory of 1456	5016	chrome.exe	97
PID 5016 wrote to memory of 1456	5016	chrome.exe	97
PID 5016 wrote to memory of 1456	5016	chrome.exe	97
PID 5016 wrote to memory of 1456	5016	chrome.exe	97
PID 5016 wrote to memory of 1456	5016	chrome.exe	97
PID 5016 wrote to memory of 1456	5016	chrome.exe	97
PID 5016 wrote to memory of 1456	5016	chrome.exe	97
PID 5016 wrote to memory of 1456	5016	chrome.exe	97
PID 5016 wrote to memory of 1456	5016	chrome.exe	97
PID 5016 wrote to memory of 1456	5016	chrome.exe	97
PID 5016 wrote to memory of 748	5016	chrome.exe	98
PID 5016 wrote to memory of 748	5016	chrome.exe	98
PID 5016 wrote to memory of 1868	5016	chrome.exe	99
PID 5016 wrote to memory of 1868	5016	chrome.exe	99
PID 5016 wrote to memory of 1868	5016	chrome.exe	99
PID 5016 wrote to memory of 1868	5016	chrome.exe	99
PID 5016 wrote to memory of 1868	5016	chrome.exe	99
PID 5016 wrote to memory of 1868	5016	chrome.exe	99
PID 5016 wrote to memory of 1868	5016	chrome.exe	99
PID 5016 wrote to memory of 1868	5016	chrome.exe	99
PID 5016 wrote to memory of 1868	5016	chrome.exe	99
PID 5016 wrote to memory of 1868	5016	chrome.exe	99
PID 5016 wrote to memory of 1868	5016	chrome.exe	99
PID 5016 wrote to memory of 1868	5016	chrome.exe	99
PID 5016 wrote to memory of 1868	5016	chrome.exe	99
PID 5016 wrote to memory of 1868	5016	chrome.exe	99
PID 5016 wrote to memory of 1868	5016	chrome.exe	99
PID 5016 wrote to memory of 1868	5016	chrome.exe	99
PID 5016 wrote to memory of 1868	5016	chrome.exe	99
PID 5016 wrote to memory of 1868	5016	chrome.exe	99
PID 5016 wrote to memory of 1868	5016	chrome.exe	99
PID 5016 wrote to memory of 1868	5016	chrome.exe	99
PID 5016 wrote to memory of 1868	5016	chrome.exe	99
PID 5016 wrote to memory of 1868	5016	chrome.exe	99
PID 5016 wrote to memory of 1868	5016	chrome.exe	99
PID 5016 wrote to memory of 1868	5016	chrome.exe	99
PID 5016 wrote to memory of 1868	5016	chrome.exe	99
PID 5016 wrote to memory of 1868	5016	chrome.exe	99
PID 5016 wrote to memory of 1868	5016	chrome.exe	99

C:\Users\Admin\AppData\Local\Temp\ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe
"C:\Users\Admin\AppData\Local\Temp\ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4812
- C:\Windows\SysWOW64\28463\DPBJ.exe
  "C:\Windows\system32\28463\DPBJ.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4392

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ff85917cc40,0x7ff85917cc4c,0x7ff85917cc58
  2⤵
  PID:4468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1908,i,14843295326729057088,6009396188299182267,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1904 /prefetch:2
  2⤵
  PID:1456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2188,i,14843295326729057088,6009396188299182267,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2360 /prefetch:3
  2⤵
  PID:748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2236,i,14843295326729057088,6009396188299182267,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2612 /prefetch:8
  2⤵
  PID:1868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3140,i,14843295326729057088,6009396188299182267,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3160 /prefetch:1
  2⤵
  PID:3980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3316,i,14843295326729057088,6009396188299182267,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:3876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4536,i,14843295326729057088,6009396188299182267,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4544 /prefetch:1
  2⤵
  PID:2584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4848,i,14843295326729057088,6009396188299182267,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3144 /prefetch:8
  2⤵
  PID:4824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5000,i,14843295326729057088,6009396188299182267,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5004 /prefetch:8
  2⤵
  PID:1480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4876,i,14843295326729057088,6009396188299182267,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5060 /prefetch:1
  2⤵
  PID:644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=4672,i,14843295326729057088,6009396188299182267,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5248 /prefetch:1
  2⤵
  PID:3580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4940,i,14843295326729057088,6009396188299182267,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4928 /prefetch:1
  2⤵
  PID:2600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=3332,i,14843295326729057088,6009396188299182267,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=864 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4788

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3476

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
94da1d359fd6ad6cff06d630e42b9208

SHA1
184651e893c61af26345a970a3a165090031a7f1

SHA256
b038f75fd0e2bf6a5d572d9b85ab92a2018572e766338fdb9f7e97266ef87976

SHA512
6afceec60fbc58a486196fd8a509279ee52571a0319b0fe50c0ab05116691f8b8793c8bd050f7f67cb296b7653aa31560e74806de26ee35102573d0b7187dbd4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000e

Filesize
215KB

MD5
2be38925751dc3580e84c3af3a87f98d

SHA1
8a390d24e6588bef5da1d3db713784c11ca58921

SHA256
1412046f2516b688d644ff26b6c7ef2275b6c8f132eb809bd32e118208a4ec1b

SHA512
1341ffc84f16c1247eb0e9baacd26a70c6b9ee904bc2861e55b092263613c0f09072efd174b3e649a347ef3192ae92d7807cc4f5782f8fd07389703d75c4c4e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
dc6953d21200879f6367c7077955f1c8

SHA1
f62632f72794b2a6db71f04c729b4025ec857446

SHA256
1cff5018e29ebb575ca67a9024870ef5e0f1a36759dfb14e58b7a22268ffa7c2

SHA512
814061aec7959b9dd9343176c29bf764b50dfb19fb67d1f3e1a69681cfef12ed041114820c5381de00509e5af30ea0eb4870938c943d438bdd3b4111e176189b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
2e4327b2d79156151df6f9af410bcd5d

SHA1
c4996115f39e97f67a3ec8e47d7d80c8097ce5fe

SHA256
f895f9cc030d1066c86f93da2b0234362fa83bb6f7dac78bc27dd98c2ba1b585

SHA512
c8bf55f93dcd8f038578242354cc60437b0d0282870252db25c141e6de0672c9b9fe4bc808c79ef7fb4fee7a73b17d9a6eb628e9500ccaa9520f9f08c7ad649a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
480B

MD5
950e13ee98202f303a73e0bf8f40c8a7

SHA1
1c4c025fb08e81091b3b82dad88c6f58594c484b

SHA256
be35fecf02ac4927600bb853d26a384c86b600399a639f572db4bc927d0621ac

SHA512
50446d7cfa80cedda2c8bf13b95e58f824d27e67cb3e4420b9870d65983bd7ac2c9f63b665ec1c555f41a116fa4df23674f4853a8acd91519a59204e6ef9dd94

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
288b7ff742dffe028f74d798a33d2240

SHA1
6d9ae9cb27611e6d558ce15623818b19a98ff866

SHA256
c4ac0339aa743dd9bd3a3f4cd2e58bb47ddc5cf0eda1d32fb6762d4b4ca04344

SHA512
53ac4cc76b58c5b215924ac44bfb56f5548ebc04ab8767cb228e8395d0225c92abc63316158beeae9c71dd49d5a1f3f0d37907ba2dc14d910e6b53f1128e6549

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
9863babf83f333ed9533339898d5fc07

SHA1
9b682f2a3b1513cd8b06349487a6303a8b630114

SHA256
eba60b0a66ad36ba123349f267d63cbd65217bfe260cbeacf6444eaec7b631fd

SHA512
843a6b6418cff42d1c2fb0de2a9ded98ec502e48b52313251d4e962f46ceb904787adf8d007e2e435da8efac8938e0920ed6d577faf954cc377606dbf2f2a504

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
9e252c1451ee21f4429d9593bed9d829

SHA1
f5426f06ef265054cd8ad1e5f53dc02b9403c4df

SHA256
ddd20dc43c78eb2dcfbe4dce5a69d69fb6135c6f107212fa2f4824b97b667cde

SHA512
40efd8a2929dc7beaccfda90631651b4972844f28f21b912d4b79cb9e75aa87e89699bf8b11b890a37998d8946a99e603561b9f6d6f7becfa3393f54e677ec9a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
691B

MD5
18403bc46ab9d7d1133013a0517916ee

SHA1
72cbb9ae0643794a933ff5ce74f48d9de948c295

SHA256
60c9949d7a129901ca96fc3fa46dbc09c56447e0377d2ed491f07a5b853cc7be

SHA512
86958e95824d0fffdb2ef986f6dbf68f7ab4c696e881ea9da4078cf09d0613fb5f754d702929d1825fb51a8392838b8f036228f9df145a1bf3d7a768d9dfd4ea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
691B

MD5
6e1a620279c9bf3ea624c8616dc5b497

SHA1
53d48cf01f979e9e39c42c4de7ffcf4e06965ede

SHA256
8ec108e9fc12afc5cff9a05963f496b1158f27be095c25214e9a0a7f03461af0

SHA512
14a245219986f785b22d78acf99e3b80d9788bab0a43b117d161d482cfb147f7c78b2661a2b1f367932f9fdf0129eccc8d4d6cf0a62801cb7473209db9c1db0a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
582b87c4a77610bd324161a4e22ced22

SHA1
5a6e34235555f518c54014ad8393976686bc31fa

SHA256
f6f2c8ee9aea131c7c951489ffa782580357fad834ba9be14a900b7275ec9ca6

SHA512
746d2d57020a31f46a2fb4911ff56792a38320986ee5ff9e365e412b3ca52e6e7618db43d0e9af5e38ec5954f093771d6d7bceb8b4c7f2070e632fd4b135db4b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
691B

MD5
3e68dc3dcad8d489b6aeb21401e2fe14

SHA1
844f4d11f887c9c13bb46524f7642e97f55f02a9

SHA256
77dd4e37f6d540068818c30fe5513d7208d1f5b49f5bbd33f834842dfca04262

SHA512
ad271e21ad71d4df51bdb4a19366a270ad755d382136952151a1bc293244c40585451a2bd33af958db417d1ec1d073d3086a8cf6803a5888694b358e5ce44607

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
deb58a826510ca0dde4ac56ef4a908a7

SHA1
dd4fa34e990882a56f2810387910c7c8d65279b1

SHA256
1f516aef656368b2096e51ed642822c549a4b3e5921807d831417a9964b93f1b

SHA512
d1d27e8470fea987488c591358bee79dd4976ec82e31283a8605ea27dc1546990b0afd314f1d9d0e674b4895040002aba1922dba684505f6402f632c07431065

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
691B

MD5
06c0af47c952f95e0dae8e195de7ce4c

SHA1
33099c6d20130de80e0829ee29aa1833486e356b

SHA256
139074f5dade0a26346926c3e39a0b46f8548df4dd4bd6ed0cf030c887040618

SHA512
f0a835ca53ae640cc684284c237681e4a10ebdb06e1f9ff717f9314aa4edd67ce1a5b7a1290455ec3a9150aa6b8c6848e78f458a7d30b09487152809d0c2fef3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
691B

MD5
7a4c851468ffab9c568072cc16e901b2

SHA1
57a88781915c75faa16739087e9f19c91aab86cb

SHA256
4b1de40f8570f3521457fdf4b7b420abb4f6deee2e2f5f9563bf2ea664390ed3

SHA512
7fcd69ccbb88da84f5f1257b2538c903d89c7b1b29054e02a6214ae345387deb1d5a407e7b15e4133ffb4fd0937cfa0827ff912b8fa4be9efa60133215022cf9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
2036337d87ed7c7fb5d6b672c352bdcc

SHA1
f24ec3d2ada9f1f98384cfa9461cab92ff6f2860

SHA256
777e551cf8cf057fd0ef773fbc8726878694a9d638180a35289129c5b1a0aaf8

SHA512
4694dc8bce364ebf11fe9e92f5200d25db4d2df631deb4d7f8c8751ca708eb0518a1809b7fd2178b2464bc5924f42cf84bb932afebf383e0333ebeec7b60afa1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
ef257fe5d71cbb927fa64655f3def239

SHA1
869485408cf1525847f2c78f5425fb60b40ae992

SHA256
4880a0cc44482e656cbbb6242753090b367ae98d99dfdd319a09174b39155497

SHA512
d91f47b25431b2fd54f5d8092acceb6a1a7cfd42484b6fbde6ce1c8c1a993eb2853fe9f6b1dcfe45c70915975e99f629aae656a7e3be9dc1e9b01cd17fea7616

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
d9b3e2080ed2f1941869883cec128793

SHA1
ab44563654170bc7e04dda83487b956fa77d4df6

SHA256
3688cda4bbbd42b4084f895b73ebae21ed642ea44ea900c95345807b09cea860

SHA512
6506dad3601961278dc02dac302d97d8cbc3ec0d1e63137051bdd6cfd4dfa87cb31902e8c2d086d40e2e2f6513a009f39d7f9dd4962546b626bcc07bb846e4ce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c182cc4a3d80f6656a4f2bc1389e4628

SHA1
94f9d0b20fcfbe2096fc652f13f7735bc29c692a

SHA256
33e14270b8fe0077a481bb4b2f01155b5dbd91a6d508fde097c687984af285ab

SHA512
256ecc05f1d896d2c5345bd679c3ada74d95070f94087f362d43caaf1b4bca87f7b6f8b8b470d2187fd3dc486999f33c63ef8232ca44b96d533a6a5dc09a9462

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
686394d7d79594ac7d8efe4ce573f498

SHA1
e197edd8869a6bf796edee74e83a28d137e98a13

SHA256
d2bdac515c3ba19c5a5c957fd4dee05b49f20e871651c9d726e7a00bfa3435e1

SHA512
ce1f607d726a7ef3207428e87fd538e7f23caa31e5eb37af091c3a851d3556877a857654d698c69669e1047a06ef41753f3d8fdf672122f1d888bfb086357fd2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ec8c1fbe224eaf616d997dc9b3d833c9

SHA1
0f64120f8b0b74f5a472655df4419812aca16e13

SHA256
22783368ad2f367d72e7cf8acb69f2301694fbdd4792aa8eadcb92721d82fdba

SHA512
25cb878e707550a20eba14dc63a3064fc7b7b820fd628ef46c284cd24c065a7570e2246bb0fa6df96e9000e534471748e061607890a1c71cfca533b8ac707869

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
54e3c2e35325428f4c02322af9defbcb

SHA1
96d1dd75fa68dae4384ec5353ef47a3765fe7c2e

SHA256
516bd17d951e18f4d1558dce8699a7dbcc82979a8430fb2774a91a313c3d0e0e

SHA512
c4ad1b7e91bbd615fe8f8ab20c75697437d9cfdb0af9839eb672af6714797407d240d6c24fd1cef9fd3dc97c1f061060a01853bda2c60953e578d48cce78f753

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2927a9e3bac4b7f67ce856468c33f718

SHA1
446e963c21a3dfa62fef58ef9ae02b6ddd6aab71

SHA256
39325a6ea43067b3b18f85d676138b1b1d171838c5159daedbceb89df1c87791

SHA512
5c619de03b2d502b1ec078ac4e4f5a500aa07ef141f24c7a5bfa504b313c01602a09f4beb5512834d5239a82a45d17349afc8bb3841ff6aac5a234f87832da0f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f005b54348da3acab57d8bd9c481b5d1

SHA1
ba04101a0f31c4189cc2819f79a61d72cbeb612b

SHA256
066eb27ee91e2d02ed8c8e23628b57150c06e876c33d15b6c576568b407bd0c7

SHA512
91f26cfc30bfbf2c24a5e23286b86dbfe03aab6cae5a5f74fc890af4989d9b99eb5abfe933ec6f43ad15562bcb93bed1004c4ff4cdfd1a2b5ac0d161f69011e3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
ef5727ded3f2d4abd70510b1dd306db5

SHA1
8408ae07ba0a6beed620fa0530d8e6922f4e254f

SHA256
52b92e2a33c53dd9182846241dc9d8316ebb46e7b4b6f362788ea53c5bec8bf5

SHA512
400a7ab9b8bb5d4ada87b0b7aa40d98d3266f37ff0d48870b847e2de9d5e9be9047e1f5ff9c42630d5049e073a0666f112c35945eec8988401cb3f4e3d1033dd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
234KB

MD5
e85648b6d0a8c75f18a16609a3a1c509

SHA1
169dc99d877393a1c071dd569933b25e80a52b1d

SHA256
6abc9174cbd72b055f57d909e9ad84e2c69599c9ab752fd4c9664083fbda5af9

SHA512
bc81a78ae9caa7a7a9757d1963bf509801637094a9ec79994422412ea4ec91671794fc826532063bd89a17a04654fa133fb71925ed89efa5f7f7e109a27c7091

Download Submit
C:\Users\Admin\AppData\Local\Temp\@91A1.tmp

Filesize
4KB

MD5
d73d89b1ea433724795b3d2b524f596c

SHA1
213514f48ece9f074266b122ee2d06e842871c8c

SHA256
8aef975a94c800d0e3e4929999d05861868a7129b766315c02a48a122e3455d6

SHA512
8b73be757ad3e0f2b29c0b130918e8f257375f9f3bf7b9609bac24b17369de2812341651547546af238936d70f38f050d6984afd16d47b467bcbba4992e42f41

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Windows\SysWOW64\28463\AKV.exe

Filesize
457KB

MD5
97eee85d1aebf93d5d9400cb4e9c771b

SHA1
26fa2bf5fce2d86b891ac0741a6999bff31397de

SHA256
30df6c8cbd255011d80fa6e959179d47c458bc4c4d9e78c4cf571aa611cd7d24

SHA512
8cecc533c07c91c67b93a7ae46102a0aae7f4d3d88d04c250231f0bcd8e1f173daf06e94b5253a66db3f2a052c51e62154554368929294178d2b3597c1cca7e6

Download Submit
C:\Windows\SysWOW64\28463\DPBJ.001

Filesize
492B

MD5
7a0f1fa20fd40c047b07379da5290f2b

SHA1
e0fb8305de6b661a747d849edb77d95959186fca

SHA256
b0ad9e9d3d51e8434cc466bec16e2b94fc2d03bab03b48ccf57db86ae8e2c9b6

SHA512
bb5b3138b863811a8b9dcba079ac8a2828dae73943a1cc1d107d27faca509fda9f03409db7c23d5d70b48d299146de14b656314a24b854f3ae4fdb6ef6770346

Download Submit
C:\Windows\SysWOW64\28463\DPBJ.002

Filesize
222B

MD5
5185a3ca78b0bc514983fd5718bf7cef

SHA1
54ef79af3d4ac1125b4d2fa330eb10c123b4902f

SHA256
b4d8b7fd8690dbe28afc8f0715814a7edcfabcc4fc2cb8515abcd3cc6e629702

SHA512
295998de8870ed8a1931ce8660ea4005f8bf2bbfd5527a0e71310a7f630d2ac64c04ce3adc3d5e170e1df3438645db6fdf30a96494d506d3c24834a4bffd3eb5

Download Submit
C:\Windows\SysWOW64\28463\DPBJ.002

Filesize
348B

MD5
cea6956c4f9d5c3b43b97d826a516a45

SHA1
213ec4f4677ed4ffdd91b45977a101d81099dff4

SHA256
f694890e59eca22e4f9c16d0d5471e20dbbb738f5ae1335c2302057b3112690c

SHA512
dae984a06b53893343a2493552266ac309c86c4ae8851d011a4849662a1238ebfbd94cdaff2213dee1f3709f5043c47c4ba976fc28a5ed3ba1294e565e068d6f

Download Submit
C:\Windows\SysWOW64\28463\DPBJ.006

Filesize
8KB

MD5
35b24c473bdcdb4411e326c6c437e8ed

SHA1
ec1055365bc2a66e52de2d66d24d742863c1ce3d

SHA256
4530fcc91e4d0697a64f5e24d70e2b327f0acab1a9013102ff04236841c5a617

SHA512
32722f1484013bbc9c1b41b3fdaf5cd244ec67facaa2232be0e90455719d664d65cae1cd670adf5c40c67f568122d910b30e3e50f7cc06b0350a6a2d34d371de

Download Submit
C:\Windows\SysWOW64\28463\DPBJ.007

Filesize
5KB

MD5
a8e19de6669e831956049685225058a8

SHA1
6d2546d49d92b18591ad4fedbc92626686e7e979

SHA256
34856528d8b7e31caa83f350bc4dbc861120dc2da822a9eb896b773bc7e1f564

SHA512
5c407d4aa5731bd62c2a1756127f794382dc5e2b214298acfa68698c709fbbe3f2aa8dbdcbef02ed2a49f8f35969959946e9f727895bdca4500d16e84f4ef2e8

Download Submit
C:\Windows\SysWOW64\28463\DPBJ.009

Filesize
1.5MB

MD5
f314f2badfba5de207b5a9d24d4f54c9

SHA1
31eadc2b3f7894d10f8996a12ec9e607ec59a7ea

SHA256
3ee4de0d1d4b0e0d03a5699417ec4ab53f08409edfdd952f8807680526ceb622

SHA512
bf1681e5748523a619eccdd0f456cc8138252732d087d672fcf554fa71c83271cf5ab2a9bddbd040b190e796d61e721b2057d93532956b7a81f0c3d6bc40de64

Download Submit
C:\Windows\SysWOW64\28463\DPBJ.exe

Filesize
646KB

MD5
b863a9ac3bcdcde2fd7408944d5bf976

SHA1
4bd106cd9aefdf2b51f91079760855e04f73f3b0

SHA256
0fe8e3cd44a89c15dec75ff2949bac1a96e1ea7e0040f74df3230569ac9e37b0

SHA512
4b30c3b119c1e7b2747d2745b2b79c61669a33b84520b88ab54257793e3ed6e76378dea2b8ff048cb1822187ffdc20e921d658bb5b0482c23cfa7d70f4e7aa1a

Download Submit
C:\Windows\SysWOW64\28463\Nov_23_2024__17_47_38.jpg

Filesize
114KB

MD5
c343dedf95557fcd40f1f2f230e08fbe

SHA1
38f6b29a9097fa6b20a1eed4fbb1d29a2cd4b7af

SHA256
1f25f52f5176bdecd937a05b556646cd30b1660282f4d986269768d757cb38f7

SHA512
7d35f3682f7559652b2130cd56635caa0b827d4ac35098dd5f64273012b6350fa8fa37dc3b4ddb96c6880e0254c2fca74e31636a89120ddcf3e5b4322c8d93d9

Download Submit
C:\Windows\SysWOW64\28463\Nov_23_2024__17_47_41.jpg

Filesize
51KB

MD5
54b14c1b57066c0e442dbf8a5e61e874

SHA1
027d77c377344acebcd961c407bd0e28ebbd6971

SHA256
551842fd0fd92fbcfae9045c4495ebea8b8291fd194588d2dee6ce798e4cf207

SHA512
47c3135008581ab535e3d0ba246842768d816512bb51c45fc2b4ea858fc39d1d3493bc3d33e7b9a5f72cbf70f88e3cf9089e317e2e21b1a2ed37f67f4fa11d04

Download Submit
C:\Windows\SysWOW64\28463\Nov_23_2024__17_47_48.jpg

Filesize
56KB

MD5
7e34f6014c7f162e043140ca0760a283

SHA1
d248a5406a9edf47e492326622f0d5acd7e1a159

SHA256
e2508f9a524591302af3085c5abc7f5b0efe65b261d8ad32c3f392f8a240a3ff

SHA512
4b32a9e875b272d6692eec912b1ddb7f0c1211fb9e165f41e1d89385b5e213a50573e32ed4d3a3fdf027d209ec29963db99e389af096c5a0e45b5d1ee074600d

Download Submit
C:\Windows\SysWOW64\28463\Nov_23_2024__17_48_01.jpg

Filesize
154KB

MD5
4454b9048e1a38a4bf77076de260c491

SHA1
667fed71c60d3ae8070865d6cf6ad1b447a10c2c

SHA256
7405faf3c9a54737adb187fa13a6fc90a646ae07b241f536b9cb99f795c597a9

SHA512
06799c54f38d3906c4e92483c19f0d899eba51368f914579277509a81e544d417888e77669828ef9d1daca900b2ff196f0b2462e8a93c94b193283e7c0926c15

Download Submit
C:\Windows\SysWOW64\28463\Nov_23_2024__17_48_51.jpg

Filesize
71KB

MD5
5cd9419afdab35d61f9d0b630ddfab23

SHA1
f1a33d07cb71b08da25604991912911f8c2d6822

SHA256
544e5578480f1013e94bf47633327ee22ac42a0dc79404d4988bf0bedf5e1c91

SHA512
0265c06c2329fa2b0df6eaac10fed8ab3da491b7b878285160bb2e9a8472350a76b9d38e207459a96b80e6ecb8b0ce3035e1d68c72bdafdc3f04a5827d7ffb3d

Download Submit
C:\Windows\SysWOW64\28463\key.bin

Filesize
106B

MD5
639d75ab6799987dff4f0cf79fa70c76

SHA1
be2678476d07f78bb81e8813c9ee2bfff7cc7efb

SHA256
fc42ab050ffdfed8c8c7aac6d7e4a7cad4696218433f7ca327bcfdf9f318ac98

SHA512
4b511d0330d7204af948ce7b15615d745e8d4ea0a73bbece4e00fb23ba2635dd99e4fa54a76236d6f74bdbcdba57d32fd4c36b608d52628e72d11d5ed6f8cde2

Download Submit
memory/4392-32-0x0000000003350000-0x0000000003351000-memory.dmp

Filesize
4KB

Download
memory/4392-63-0x0000000000B20000-0x0000000000B7A000-memory.dmp

Filesize
360KB

Download
memory/4392-65-0x0000000003350000-0x0000000003351000-memory.dmp

Filesize
4KB

Download
memory/4392-429-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4392-61-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4392-126-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4392-49-0x00000000006B0000-0x00000000006B1000-memory.dmp

Filesize
4KB

Download
memory/4392-48-0x0000000000690000-0x0000000000691000-memory.dmp

Filesize
4KB

Download
memory/4392-158-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4392-51-0x00000000033B0000-0x00000000033B1000-memory.dmp

Filesize
4KB

Download
memory/4392-50-0x0000000003370000-0x0000000003371000-memory.dmp

Filesize
4KB

Download
memory/4392-191-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4392-47-0x0000000003360000-0x0000000003361000-memory.dmp

Filesize
4KB

Download
memory/4392-22-0x00000000024F0000-0x00000000024F1000-memory.dmp

Filesize
4KB

Download
memory/4392-24-0x0000000002530000-0x0000000002531000-memory.dmp

Filesize
4KB

Download
memory/4392-33-0x0000000003350000-0x0000000003351000-memory.dmp

Filesize
4KB

Download
memory/4392-26-0x0000000002510000-0x0000000002511000-memory.dmp

Filesize
4KB

Download
memory/4392-27-0x00000000024D0000-0x00000000024D1000-memory.dmp

Filesize
4KB

Download
memory/4392-29-0x0000000003360000-0x0000000003361000-memory.dmp

Filesize
4KB

Download
memory/4392-30-0x0000000003360000-0x0000000003361000-memory.dmp

Filesize
4KB

Download
memory/4392-21-0x0000000000B20000-0x0000000000B7A000-memory.dmp

Filesize
360KB

Download
memory/4392-96-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4392-25-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/4392-34-0x0000000003350000-0x0000000003351000-memory.dmp

Filesize
4KB

Download
memory/4392-35-0x0000000003350000-0x0000000003351000-memory.dmp

Filesize
4KB

Download
memory/4392-36-0x0000000003350000-0x0000000003351000-memory.dmp

Filesize
4KB

Download
memory/4392-37-0x0000000003350000-0x0000000003351000-memory.dmp

Filesize
4KB

Download
memory/4392-586-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4392-38-0x0000000003350000-0x0000000003351000-memory.dmp

Filesize
4KB

Download
memory/4392-39-0x0000000003350000-0x0000000003351000-memory.dmp

Filesize
4KB

Download
memory/4392-40-0x0000000003350000-0x0000000003351000-memory.dmp

Filesize
4KB

Download
memory/4392-788-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4392-41-0x0000000003350000-0x0000000003351000-memory.dmp

Filesize
4KB

Download
memory/4392-42-0x0000000003350000-0x0000000003353000-memory.dmp

Filesize
12KB

Download
memory/4392-44-0x00000000033A0000-0x00000000033A1000-memory.dmp

Filesize
4KB

Download
memory/4392-45-0x00000000033A0000-0x00000000033A1000-memory.dmp

Filesize
4KB

Download
memory/4392-46-0x00000000033A0000-0x00000000033A1000-memory.dmp

Filesize
4KB

Download
memory/4392-1190-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4392-31-0x0000000003350000-0x0000000003351000-memory.dmp

Filesize
4KB

Download
memory/4392-28-0x0000000003360000-0x0000000003361000-memory.dmp

Filesize
4KB

Download
memory/4392-23-0x0000000002540000-0x0000000002541000-memory.dmp

Filesize
4KB

Download
memory/4392-68-0x00000000033A0000-0x00000000033A1000-memory.dmp

Filesize
4KB

Download
memory/4392-19-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download